Forum Discussion

F5_Jeff's avatar
F5_Jeff
Icon for Cirrus rankCirrus
Jan 25, 2019

Export ASM Event correlation

Hi All,

 

We are using F5 ASM version 13.1.0.4 and we want to export the Event correlation which we will be using for auditing.

 

Is there a way to export this information? if not, can we use an irule to log this (example: Client IP address, Destination IP Address, Attack type, Violation Rating, Time and Date,etc)

 

Thank you for your help!

 

ASM Advanced WAF
iRules
security

1 Reply

Sort By
  • suttonsc's avatar
    suttonsc
    Icon for Employee rankEmployee
    Jan 25, 2019

    I am not aware of a UI method to accomplish this. However, for the Event Correlation Incidents they can be retrieved via the REST API using the path "/mgmt/tm/asm/events/incidents"

    This is reduced to just the total Incident count and the ID and Attack type of the incidents:

    [root@centos-02 opt] curl -sku admin:admin https://${BIGIP_MGMT}/mgmt/tm/asm/events/incidents | jq -r '{Total_Incidents: .totalItems},(.items[]|[{ID: .id,Attack_Type: .incidentSubtype}])'
{
  "Total_Incidents": 1
}
[
  {
    "ID": "11446853164913095864",
    "Attack_Type": "Server-Side Include Injection Attempt"
  }
]

    Using the Incident ID from above we can get the data you outlined in the question using the select statement:

    [root@centos-02 opt] curl -sku admin:admin https://${BIGIP_MGMT}/mgmt/tm/asm/events/incidents/11446853164913095864?\$select=clientIp,virtualServerName,incidentSubtype,averageViolationRating,firstRequestDatetime,lastRequestDatetime,incidentStatus | jq .
{
  "firstRequestDatetime": "2019-01-25T20:28:20Z",
  "incidentSubtype": "Server-Side Include Injection Attempt",
  "clientIp": "10.1.155.177",
  "selfLink": "https://localhost/mgmt/tm/asm/events/incidents/11446853164913095864?$select=clientIp%2CvirtualServerName%2CincidentSubtype%2CaverageViolationRating%2CfirstRequestDatetime%2ClastRequestDatetime%2CincidentStatus&ver=13.1.0",
  "kind": "tm:asm:events:incidents:incidentstate",
  "lastRequestDatetime": "2019-01-25T20:37:02Z",
  "incidentStatus": "open",
  "virtualServerName": "/Common/httpbin_vs",
  "averageViolationRating": 1
}

    Or another formatting option would be to use jq to select the desired data and format it as desired:

    [root@centos-02 opt] curl -sku admin:admin https://${BIGIP_MGMT}/mgmt/tm/asm/events/incidents/11446853164913095864 | jq '{Client_IP_Address: .clientIp,Destination_Virtual_Server: .virtualServerName,Attack_Type: .incidentSubtype,Average_Violation_Rating: .averageViolationRating,First_Request_Time: .firstRequestDatetime,Last_Request_Time: .lastRequestDatetime,Status: .incidentStatus}'
{
  "Client_IP_Address": "10.1.155.177",
  "Destination_Virtual_Server": "/Common/httpbin_vs",
  "Attack_Type": "Server-Side Include Injection Attempt",
  "Average_Violation_Rating": 1,
  "First_Request_Time": "2019-01-25T20:28:20Z",
  "Last_Request_Time": "2019-01-25T20:37:02Z",
  "Status": "open"
}

    Here is the entire incident request we trimmed down earlier. It lists all the incident information, which can be exhaustive, and the associated requests. These can be queried to dig further into the data if needed by using the path supplied in the link: "/mgmt/tm/asm/events/requests/ 

    [root@centos-02 opt] curl -sku admin:admin https://${BIGIP_MGMT}/mgmt/tm/asm/events/incidents | jq .
{
  "kind": "tm:asm:events:incidents:incidentcollectionstate",
  "selfLink": "https://localhost/mgmt/tm/asm/events/incidents?ver=13.1.0",
  "totalItems": 1,
  "items": [
    {
      "deviceId": "",
      "firstRequestDatetime": "2019-01-25T20:28:20Z",
      "enforcementState": {
        "violationReferences": [
          {
            "link": "https://localhost/mgmt/tm/asm/violations/Kg4ZClyfrkvbgrD1_soQxw?ver=13.1.0"
          }
        ],
        "attackTypeReferences": [
          {
            "link": "https://localhost/mgmt/tm/asm/attack-types/bPdfd8J74YS0zJeATrXJEA?ver=13.1.0"
          }
        ]
      },
      "incidentSubtype": "Server-Side Include Injection Attempt",
      "kind": "tm:asm:events:incidents:incidentstate",
      "selfLink": "https://localhost/mgmt/tm/asm/events/incidents/11446853164913095864?ver=13.1.0",
      "policyReference": {
        "link": "https://localhost/mgmt/tm/asm/policies/kvdCY2diDypYq6qcWvgiYQ?ver=13.1.0"
      },
      "geolocationCountryCode": "N/A",
      "requestsBlockedPercent": 0,
      "id": "11446853164913095864",
      "durationInSeconds": 522,
      "requestCount": 5213,
      "averageViolationRating": 1,
      "incidentTypeReference": {
        "link": "https://localhost/mgmt/tm/asm/incident-types/ucIf8YxFlyi28GpetmC76w?ver=13.1.0"
      },
      "description": "Server-Side Include Injection Attempt",
      "requestReferences": [
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423262951526?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024418?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024402?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024386?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024370?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263039428?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423262969536?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423262969520?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024290?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263039412?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263039396?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263039380?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423262969488?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423262969504?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024338?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024322?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024306?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024354?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263024274?ver=13.1.0"
        },
        {
          "link": "https://localhost/mgmt/tm/asm/events/requests/5023665423263039364?ver=13.1.0"
        }
      ],
      "clientIp": "10.1.155.177",
      "incidentSeverity": "medium",
      "lastRequestDatetime": "2019-01-25T20:37:02Z",
      "incidentStatus": "open",
      "virtualServerName": "/Common/httpbin_vs"
    }
  ]
}